Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0234.2 coturn security update 12 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: coturn Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-4059 CVE-2018-4058 CVE-2018-4056 Original Bulletin: http://www.debian.org/security/2019/dsa-4373 https://lists.debian.org/debian-lts-announce/2019/02/msg00017.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running coturn check for an updated version of the software for their operating system. This bulletin contains two (2) advisories. Revision History: February 12 2019: DLA 1671-1 added support for Debian 8 January 29 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4373-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 28, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : coturn CVE ID : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059 Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. CVE-2018-4056 An SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058) could escalade privileges to administrator of the coTURN server. For the stable distribution (stretch), these problems have been fixed in version 4.5.0.5-1+deb9u1. We recommend that you upgrade your coturn packages. For the detailed security status of coturn please refer to its security tracker page at: https://security-tracker.debian.org/tracker/coturn Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ - -------------------------------------------------------------------------------- Package : coturn Version : 4.2.1.2-1+deb8u1 CVE ID : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059 Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. CVE-2018-4056 An SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disables the web interface. Users should use the local, command line interface instead. CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058) could escalade privileges to administrator of the coTURN server. For Debian 8 "Jessie", these problems have been fixed in version 4.2.1.2-1+deb8u1. We recommend that you upgrade your coturn packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXGH6a2aOgq3Tt24GAQgC5xAAnQE8FB7euVsswB5glUGLEunb12qy6uDH fUBZKFoZ88XQkJLo3ORGxbipIcVL18fpmOO0VYbyyvil1RTxrjD82HUk1u4IxGg3 PBrdUZlsTvt9E6bkOgv4PGov8ekD17RgN4Pu6UVIUD65OLLypqZoFcMpGOABDXCO Jgs4fqkjAZfPncY7llMYrmK3nIcChpWARF4NB3mUt0ukYSSmjSCU/O+0MvxZgLN0 cicHFTLz4K4JbA4XU4ByW8MmVQfj+4dq6b5b4fd5mVsLBK1tH1Y62vJvsmf6degW Jst7hH6Zm3Ryd/0r7rMmxcm7ZcpsKFZ0t52jndpfm2aXyME3+oHjxobPo9w1yh29 iuzg3915VuvDtrNFJU0ysgYOowH3pjOLa6lxogwNGM+ourLHirGU8H7D+yuN6dXc zQPOaXfzcJ3X+obgpp1INNXO+yDpr1A6c7qZ64XlnObSlgDfacjz2wb+WCzV1bHn ces/H6IGGSSCBWc50yRKAuQBSqOtJA0iGFvnuGJQEtlrCn8Ex7jgvnNc3oPqes2X r94SWbXEY7aeVlitpSVKcamU2xl0vtyLqHHp7ZbAZTaIs4VDouExkG9LfefPuqjy oQZ1gXAGLISXVzOmwI91ElPO+X1mlIYdWtkxl1CY05/CaeXgdE5Q7IG6mQ+ZjlW9 jfmq0Ob96ys= =eBc6 -----END PGP SIGNATURE-----